Guest Adam Posted August 12, 2008 Posted August 12, 2008 Hello, I'm fixing a computer at my work. The computer has been infected with lots of viruses and malware. Most of the viruses have been removed by plugging the hard drive into another computer and removing them that way. Unfortunately, one of the users has used EFS to encrypt lots of important documents. I am unable to login at all, as soon as the welcome screens quits after successful username and password have been entered the system hangs and does not complete loading. The installation of windows is not important to me but the documents are. My questions are: Is it somehow possible to export the Recovery Agent without being logged in as that user (i.e. from the recovery console)? Can I do a repair install without compromising EFS and becoming locked out from the files? Are there any software out there designed to brute force the EFS technology? Is there a way to restore the registry to a basic state (i.e. to that of when it was installed) but keep the SID the same for the user account? I know its a few questions but I've ran into lots of problems with this computer and have tried lots of different methods to extract the information. Thanks, Adam
Guest Adam Posted August 12, 2008 Posted August 12, 2008 RE: EFS & Virus Infection & Unable to login Anybody?? "Adam" wrote: > Hello, > I'm fixing a computer at my work. The computer has been infected with > lots of viruses and malware. Most of the viruses have been removed by > plugging the hard drive into another computer and removing them that way. > > Unfortunately, one of the users has used EFS to encrypt lots of important > documents. I am unable to login at all, as soon as the welcome screens quits > after successful username and password have been entered the system hangs and > does not complete loading. > > The installation of windows is not important to me but the documents are. My > questions are: > > > > Is it somehow possible to export the Recovery Agent without being logged in > as that user (i.e. from the recovery console)? > > Can I do a repair install without compromising EFS and becoming locked out > from the files? > > Are there any software out there designed to brute force the EFS technology? > > Is there a way to restore the registry to a basic state (i.e. to that of > when it was installed) but keep the SID the same for the user account? > > > > > I know its a few questions but I've ran into lots of problems with this > computer and have tried lots of different methods to extract the information. > > Thanks, > Adam
Guest Patrick Keenan Posted August 12, 2008 Posted August 12, 2008 Re: EFS & Virus Infection & Unable to login "Adam" <Adam@discussions.microsoft.com> wrote in message news:119BC5FB-63BD-4129-B9F7-3D6D5024AB2A@microsoft.com... > Hello, > I'm fixing a computer at my work. The computer has been infected with > lots of viruses and malware. Most of the viruses have been removed by > plugging the hard drive into another computer and removing them that way. > > Unfortunately, one of the users has used EFS to encrypt lots of important > documents. I am unable to login at all, as soon as the welcome screens > quits > after successful username and password have been entered the system hangs > and > does not complete loading. > > The installation of windows is not important to me but the documents are. > My > questions are: > > > > Is it somehow possible to export the Recovery Agent without being logged > in > as that user (i.e. from the recovery console)? I think you mean export the credentials, and since you log in as the Administrator from the recovery console, the answer would be no. > Can I do a repair install without compromising EFS and becoming locked out > from the files? It's unlikely, and risky at best. If you want to try this, try it on a clone. > > Are there any software out there designed to brute force the EFS > technology? I know of none. > Is there a way to restore the registry to a basic state (i.e. to that of > when it was installed) but keep the SID the same for the user account? Perhaps, but I wouldn't try it on the original disk. See below. > > I know its a few questions but I've ran into lots of problems with this > computer and have tried lots of different methods to extract the > information. > > Thanks, > Adam You seem to consider the documents to be of value, and understand that there are many risks with EFS, that can easily lead to permanent data loss. So, the thing to do is to protect the original and work from a clone. Find a suitable hard disk that you can clone this original disk to - perhaps make an image file on hard disk as you may be trying this more than once. If you don't have it, clone using something like the Acronis TrueImage trial version. This will give you a couple of weeks for effort. Make an image file from the original and set the disk aside somewhere safe. Use that image file to create a clone on another disk, and work on the copy. If you find a process that doesn't work, you can safely start over without having to fear that you have lost the data. This is a much more relaxing, or at least less tense, scenario. The cloning process shouldn't take you very long, and is quick if you also have a USB2 drive adapter, about $20. The cloning process will also give you a spot to think. You may even find that part of the problem is a disk error that the new disk helps overcome, though such an error may also damage the credentials you need. Once cloned, try getting into the account in Safe Mode, and then using msconfig to turn everything that isn't needed to just boot OFF, including services. Then try restarting in regular mode. You can also at this point safely attempt manual registry swaps, as adapted from this KB article: http://support.microsoft.com/kb/307545 You can perform the swaps hosting the drive in another system using the USB2 drive adapter, you don't need to boot to the Recovery Console. And this way, if the attempts don't work, you haven't damaged the data, only lost a bit of time. You can go back and try again. HTH, and good luck. -pk
Guest Twayne Posted August 13, 2008 Posted August 13, 2008 Re: EFS & Virus Infection & Unable to login > Hello, > I'm fixing a computer at my work. The computer has been infected > with lots of viruses and malware. Most of the viruses have been > removed by plugging the hard drive into another computer and removing > them that way. > > Unfortunately, one of the users has used EFS to encrypt lots of > important documents. I am unable to login at all, as soon as the > welcome screens quits after successful username and password have > been entered the system hangs and does not complete loading. > > The installation of windows is not important to me but the documents > are. My questions are: And my question is, why didn't you or someone export the keys needed to recover those files in the very beginning? They may well be gone now so hope for good backups in your company IT. > > > > Is it somehow possible to export the Recovery Agent without being > logged in as that user (i.e. from the recovery console)? No. Not now. > > Can I do a repair install without compromising EFS and becoming > locked out from the files? No. Not without the keys disk. > > Are there any software out there designed to brute force the EFS > technology? No. That's why it's such a reliable encryption and why it's so important to export the keys and assign an agent. > > Is there a way to restore the registry to a basic state (i.e. to that > of when it was installed) but keep the SID the same for the user > account? No, don't think so. I know a lot of people who tried but AFAIK it just can not be done. Unless possibly you know the SIDS? But then even the keys are encrypted too, so not sure it'd do any good even if you could. Certainly, since this is a work computer, there are backups somewhere, right? If not I'd find another company to work for or get real smart real fast if you don't get fired first. > > > > > I know its a few questions but I've ran into lots of problems with > this computer and have tried lots of different methods to extract the > information. > > Thanks, > Adam
Recommended Posts